Distributed denial of service attacks have grown larger in scale, more sophisticated and harder to detect, according to three large technology vendors that have recently published analyses of attacks.
DDoS attacks, malicious streams of traffic that can take down a website and cause reputational and other damage to a company, were big news during the fall of 2012. A group called Izz ad-Din al-Qassam Cyber Fighters carried out a series of these attacks on U.S. banks' websites. Such exploits have not made the news much lately because few have been successful enough to bring down a bank's website for a noteworthy length of time.
This is partly because banks have invested in better DDoS mitigation technology and services, observers say. Another factor is that banks are being targeted less frequently — only about 10% of incidents. Gaming, technology and media companies have become more popular targets.
But attacks are still being launched against banks and other companies, and with greater force than ever, according to large information security providers such as Prolexic (which is now owned by Akamai), Verizon and Verisign. The three companies recently issued reports that shed light on the changing nature of DDoS attacks.
Close to 90% of the DDoS attacks conducted during the first half of 2014 were volumetric attacks, according to Rod Soto, senior security researcher at Akamai PLXsert. In other words, they sent high amounts of traffic to a website to overwhelm it and the company's network, so the site wouldn't work and the company couldn't serve its customers. (Eighty of the top 100 U.S. banks use his company's service, Soto said.)
One pattern Soto has observed in DDoS attacks on financial institutions is that they usually start at 9:00 a.m. EST and finish about 5:00 p.m. EST.
"Why? Because this will cause the most disruption possible and the media will pick it up," Soto said. "The effects of a successful DDoS campaign are amplified by the use and manipulation of the media." (By contrast, he said, attacks on casinos tend to occur in the late afternoon or at night, he said. They likely are carried out by rival casinos who want to keep customers away from competitors, Soto said.)
Typically, customers of a bank under attack will complain over social media that they can't access their bank's website.
"Attackers will purposely watch social media for signals that their target is failing," Soto said. "Then they will try to underline that. They will retweet it. Once the media picks up on that, it amplifies the perception of the actual attack."
Attackers will use media coverage as a validation that the attack was successful.
BIGGER, SHORTER ATTACKS
Most DDoS attacks are measured by the number of gigabytes of data hurled at a target each second. In the first quarter, Verisign observed an 83% increase in DDoS attack size over the previous quarter and a 6% increase from a year earlier, to 3.92 gigabytes per second. The Akamai/Prolexic study found peak bandwidth bombardment of 7.76 gigabytes per second in the second quarter, off from 9.7 gigabytes per second in the first quarter but close to double the average peak in the second quarter of 2013, 4.5 gbps.
"Over the last five years, attacks have increased in size, not only in the size of the packets but also the packets per second," said Christopher Porter, managing principal of the Verizon Cyber Intelligence Center.
At the same time, the duration of the typical attack has shortened, researchers say. According to the Akamai/Prolexic report, the average attack lasts 17 hours.
One reason for the increased size of these attacks is the use of "amplification" techniques.
In an amplification attack, an attacker sends multiple servers a communication that appears to come from the victim's IP address, and the response back is larger, sometimes thousands of times larger, than the original message.
"It causes all sorts of havoc, especially as it converges down to the intended victim," Porter said. "It is coming from several different service providers, and as it gets closer to the intended victim, the sizes of those attacks get to be large. So there's usually a lot of collateral damage in those types of attacks. It's not just the victim that gets hit, because the closest gateway router to them may have 100 customers sitting on it, and that whole router could get overwhelmed."
These types of attacks are not new. But researchers found more of them in the first half of this year than in previous years. Attackers also recently began manipulating Network Time Protocol servers, which are used to synchronize computers in a network, where previously they mainly used domain name servers.
"If you do that for a lot of open NTP servers out there, you can create some havoc," Porter said. Some organizations have begun scanning for open NTP servers and working with the servers' owners to change their configurations so they're not vulnerable to this type of attack.